Just a few days after been falsely accused by my former web host of operating a phishing scam (the accusation still burns!) I received a LinkedIn message from a literary agent connection that piqued my interest.
Something about the message felt a little in-genuine, however a literary agent reaching out to a writer in this manner wouldn’t be unheard of (although this may be pure happenstance and whoever devised the attack just hit lucky with a credible background).
So I decided to check out the OneDrive share.
Here are some things I did to investigate the suspicious share and correctly determine that it was a phishing attempt.
1: Check the URL Structure
If you’re dubious that something you’ve received in this manner might be a phishing scam, the first place you should check is the URL bar.
In this case, the link was to a genuine OneDrive share.
Note that, in Google Chrome, the padlock symbol to the left of the URL is marked as secure, indicating that the connection to the website is encrypted and secured by a valid Secure Socket Layer (SSL) certificate.
2: Check the SSL Certificate
Both the fact that the connection has an SSL certificate and the issuing authority are important pieces of information: discrepancies (the phishing attempt uses a self-signed certificate and the operator issues under its own name) can be valuable clues that something is amiss.
Let’s take a look at the SSL issuer certificate so that we can compare and contrast anything that changes:
As I would have expected, the SSL certificate on OneDrive.com, where legitimate OneDrive shares are hosted, is issued by Microsoft Corporation.
3: Watch Out For Dodgy Graphics
Here’s where things got a bit phishy (get it)?
There’s no reason why the sender couldn’t have simply sent an open access link. Instead, this looks like a OneDrive link to another OneDrive folder.
But look at the image that’s embedded.
As a company with more than $125 billion in annual revenue, Microsoft are not lacking the budget to hire a graphic design team — so the pixellated image immediately drew my suspicion.
Next, read the copy it contains:
“You have a new secure message for your perusal from X”.
There’s no way that a staid corporate like Microsoft would use such jocular phrasing as “for your perusal “ in their standard OneDrive share template notification.
Besides comparing how this link looked with a OneDrive share link which we know to be valid, we could also run an exact string search on Google to check if this suspicious line of copy has been reported as malware anywhere else on the internet.
4: Run Searches On Suspicious UI Copy
The one match here is from Hybrid Analysis, a free malware analysis service. Evidently, somebody has submitted this message for analysis:
When we click the “View Message Folder” button, we are then taken to another login.
5: Watch Out For Phishing URLs!
This brings us to a pretty typical phishing landing page.
Notice two things from the Omnibox:
a) We’re now on an external website. Although conceivably, this could be achieved legitimately by the operator adding a CNAME
DNS record if OneDrive allowed white-labeling a store site (I don’t believe that they do).
b) The SSL certificate has vanished.
c) It’s no longer a Microsoft-issued certificate:
Lessons Learned
a) Be suspicious of any drive shares from strangers!
b) Always check the URL and SSL cert to differentiate between a genuine website and a phishing one.
Daniel publishes a monthly 📥 e-newsletter 📥 summarizing his latest articles, writing, and thinking. To receive it, click here.